UEFI secure boot is getting a lot of attention lately, particularly in terms of how to install new keys, who owns those keys, and where the chain of trust should end. SuSE has some excellent blog posts outlining how it works and Matthew Garrett also has many...

So we're booting our new UEFI-enabled system in secure boot mode and we've got a signed shim, grub and kernel. We've got an added layer of security, knowing that the code we're booting hasn't been modified. Now lets say we'd like to continue to lock down the...

Last time I went through a comparison of UEFI Secure Boot and the root of trust you can construct using a TPM. There are various trade-offs in using UEFI Secure Boot versus a TPM-based trusted boot, one of which was this: "If a signature verify fails...